Ethical Hacking
  • Introduction to Information Security
    • What is Hacking?
    • Type of Hacking
    • Exercise
    • Uses of Proxy Servers
    • Summary Proxy & VPN
    • Summary
  • Gathering Information About Websites
    • Gathering Information
    • Gathering Targeted Information
  • Google Droks
  • Introduction to Web Architecture and Understanding Common Security Misconceptions
    • Web Servers
    • Web Server Architecture
    • Web Server Architecture Combinations
  • VA & PT
    • OWASP
    • SQL Injection
    • Advanced SQL Injections
    • Burp Suit
      • Client Side Validation Burp Suite Bypass
      • Client Side Validation Burp Suite Bypass
      • GET Based IDOR in URL
      • Post Based IDOR Variant
      • GET Based IDOR in URL
      • Post Based IDOR in URL
      • Download based
  • Arbitrary File Upload Vulnerabilities
    • Server Side Attack
    • Server Side Attack
    • Client Side Attack
  • Understanding Response Headers
    • Event Listeners
  • Fundamentals of Cross Site Scripting (XSS)
    • Temporary XSS
  • Understanding Forced Browsing and Session-Cookie Flaws
    • Forced Browsing
    • Cross Site Request Forgery
    • Open Redirection
  • Dictionary Based Brute Force Attacks
    • Dictionary Based Bruteforcing
    • Logical Bruteforcing
    • PII Leakage Variant
  • Identifying Security is configurations and Exploiting Outdated Web Applications
    • Information Disclosure via Descriptive Messages
    • Default Debug Pages
    • How to guess password for a standard login page
    • Default/Weak Password in Custom CMS
    • Fingerprinting Components with Known Vulnerabilities
    • Finding Exploits for Components with Known Vulnerabilities
    • Default/Weak Password in Public Software
    • Vulnerable Components Installed
    • Vulnerable Components Installed 2
    • Vulnerable Components Installed 3
  • Scanning for Bugs in WordPress and Drupal
    • What is CMS?
    • Variant 1
    • Vulnerable CMS
    • How to Scan Drupal CMS for Known Vulnerabilities?
    • Joomla CMS
  • Automating VAPT and Secure Code Development
    • information gathering
    • Nmap Scans
    • Automating VAPT:
  • POC
    • Recommendations for Documenting a Vulnerability
    • PoC
    • Types of Reports
    • Recommendations for OWASP Top 10 Vulnerabilities
    • Components of a VAPT Report
    • Vulnerability Information (for each vulnerability)
    • Bad Practices to Avoid While Writing a Report
Powered by GitBook
On this page
  1. Identifying Security is configurations and Exploiting Outdated Web Applications

Default Debug Pages

These are also referred to as default files/folders/url that contain crucial information of servers. Hackers exploit these default files which further helps them to plan their attacks. Below are few examples of default files that you may find in a website.

1. Robots.txt - One can find this file in the base directory of a website. This file is used by server administrators to disallow search engines like Google, Bing, etc. to record certain pages/folders as it may contain interesting folders and files which a developer is trying to hide.

2. Phpinfo.php - This file is a common debug file in PHP applications that contains huge amount of information regarding the server.

3. Users.xml - This file generally contains usernames and passwords which hackers may exploit.

4. Backup.sql - This default file is crucial as it may contain complete database backup.

5. Config.bak - This may be a configuration file that stores passwords and keys.

6. error_log / error.log - This file contains all error logs of the server which can reveal vulnerabilities to hackers.

7. server-status and server-info - These are common Apache page that contains server information.

8. manager/html - This default url takes you to Tomcat login page that can further disclose sensitive server information.

9. phpmyadmin - It is the login page for PHPmyadmin - a software used for managing SQL databases from the website. Exploiting a database can compromise all the data inside it.

Apart from these, there are many more default files that you should check and search for. You might not be able to find these default files as they may have been restricted by server administrators.

PreviousInformation Disclosure via Descriptive MessagesNextHow to guess password for a standard login page

Last updated 1 year ago